Magento Bug May Leave Thousands of Ecommerce Sites Exposed
Recently, a bug emerged in the Magento eCommerce platform, one that was actually patched in fairly short order.
The bug, however, had some substantial ramifications to follow, and may leave online merchants at risk, with numbers measuring into the thousands.
Sucuri, a security research firm, found the bug and noted that said bug could be used to bring in JavaScript code in customer registration forms that could later be used against said customers.
The bug, an XSS bug, was found in every version of Magento Community Edition before 1.9.2.3, and Enterprise Edition before 1.14.2.3. The buggy portion was found in the administrator’s backend, which made for a potentially large problem.
Unless behind a Web application firewall (WAF), or otherwise operating a really customized environment that might have surpassed the problem—as one Sucuri advisor noted—it might essentially open up administrator privileges to any hacker.
If Magento users install the newly-developed patch, that should be the end of the problem, at least for this particular iteration.
In the meantime, however, those who shopped before the bug was found, or shopped before the bug was patched, could be at risk.
Thus the standard advice goes out; change some passwords, and check credit and debit card statements for anyone who’s made some online purchases lately. It’s pretty much standard practice, but with this news it’s more important than normal.
It’s always disconcerting when it’s the site that has the problem, because there’s so little a regular user can do in response to it.
After all, the average shopper can’t make sure the site has patched its Magento systems, is using the latest version, or is even doing something so simple as running the latest antiviral protection mechanisms.
That’s the site’s responsibility, and all a user can do is watch his or her own payment systems.
Online shopping is a great convenience, and gives us access to a wide array of products and services that previously weren’t available to us.
The price of that convenience and access is vigilance, and those who stay vigilant are less likely to have larger, longer-lasting problems than those who don’t.